Posted
by
timothy
on Tuesday June 26, 2012 @10:33AM
from the correctly-formatted-theocratic-calls-for-caning dept.

Regular contributor Bennett Haselton writes "As Google releases more data about their compliance with requests from foreign governments, they should clarify their stance on exactly when they will comply with requests to turn over user data to foreign law enforcement." Bennett expands on that thought below; read on for some details of just why that kind of disclosure matters, in making sense of Google's own efforts to provide transparency.

Google, as part of its ongoing Transparency Project, announced last week the release of its latest data on
takedown requests and
user account information requests
from governments around the
world.
I'm glad that
notorious human rights violators like Turkey
are still scoring 0 for 88 in their
requests to get Google to turn over information on users allegedly breaking Turkish law.
But Google should still clear up some ambiguities in its stated policies about when
it will remove content in response to a government request, and (especially)
when it will turn over user information to foreign law enforcement. Google's FAQ on user data requests says that
"whenever we receive a request we make sure it meets both the letter and spirit of the law before complying."
This, however, raises
a few questions:

Does "the letter and spirit of the law" refer to U.S. law, or the law in
the country from which law enforcement sends the request? Presumably if a
user in China or Saudi Arabia were using their Google account to send messages
that criticized their own government, in violation of local "laws," Google would
not turn over that user's information to that country's law enforcement on
demand. That should be an easy call, since China and Saudi Arabia are dictatorships.
But what about democratic countries like Canada and Germany, which nonetheless have
anti-hate-speech laws that are inconsistent with American free speech guarantees?
If German law enforcement demanded the identity of a German account holder who was
publishing Nazi propaganda (which would be legal in the U.S., but is illegal in Germany),
what would Google do?

What if foreign law enforcement claims that a Google account holder is doing something
which would be illegal even in the U.S. — but the request comes from a country where
law enforcement is known to be corrupt? And what if the claim is such that Google
can't verify the veracity of the claim by simply looking at the account contents? (For example,
if law enforcement claims that a criminal gave the police a gmail.com address as a Dropbox for
them to respond to a ransom demand, Google can't verify that claim just by looking at the contents
of the inbox.) In such cases, does Google respond to the request anyway, even if the police
might be lying in order to unmask a Google account holder who hasn't done anything illegal?

Does the answer to either #1 or #2 above depend on whether Google has offices in the country making
the request, and can be more easily pressured to comply with their demands?

With regard to governmental requests to remove content, Google has also not explicitly stated
whether they use local laws or U.S. laws as a guideline. However, based on the incidents in the
Notes section, the
rule seems to be: Google will remove content only if it violates Google's own terms of service, but if content
violates local laws in a given country, Google may block access to that content
from that country, even if the content doesn't violate Google's policies.
For example, Google restricted users in Thailand from
viewing YouTube videos that offended the Thai monarch, and restricted Turkish users from viewing two
videos that criticized Atatürk. As insulting as this is to
the free speech rights of the people of those nations, Google could argue that if they hadn't
restricted those videos, the entire YouTube site would have been blocked in those countries (which it has been in the past,
in both Thailand and
Turkey). And at least having your YouTube videos blocked in your home country won't
put you in physical danger.

On the other hand, having your identity unmasked and turned over to your government could put you at risk of arrest
and a long prison sentence, as happened to
Shi Tao after Yahoo disgracefully turned his information
over to Chinese officials. So it's a good thing that Google's compliance rate with user data requests is much lower.
But given the higher stakes, it's all the more important for Google to clarify when they
will comply with such requests.

I sent a message to Google's press office asking about their policy of following the "letter and
spirit of the law" in complying with data requests,
and whether that referred to U.S. law or the law in the country whose government made the demand. I got back a
response copied and pasted from the
user data requests FAQ:

Like all law-abiding companies, we comply with valid legal process. We take user privacy very seriously,
and whenever we receive a request we make sure it meets both the letter and spirit of the law before
complying. When possible and legal to do so, we notify affected users about requests for user data that
may affect them. And if we believe a request is overly broad, we will seek to narrow it.

I immediately wrote back:

But when you say you make sure a request "meets both the letter and spirit of the law", whose law
are you talking about — U.S. law, or the law of the country where the request originated?

If Saudi Arabia has laws on the books against criticizing the King, and the Saudi police use
that as the pretext to demand that you turn over a subscriber's identity because that user
criticized the government, I presume you don't comply with requests like that. But does that
mean that you only turn over subscriber identities if the foreign law enforcement can show that
the subscriber did something that would be illegal under U.S. law?

(It's always a bit awkward trying to turn a cut-and-paste job into a real conversation.) Google's PR
said they had nothing more to add, but I've asked some mid-to-highly-placed friends at the company
to see if they could get someone to comment in more detail, and I'll follow up if they get back to me.

The question came up when I was at a conference talking with some activists from Latin America, who were
asking about the safest way to email a sensitive message or document out of the country over an
encrypted connection, to a contact person in the U.S.
I said that even though they had already heard about solutions like
Tor and PGP,
the simplest solution in their case would just be to use Gmail to send the message or the file,
since their connection to Google's Gmail servers in the U.S. would be encrypted over https://. (Once
the message is sent out from Gmail's servers to its recipient,
it would be transmitted unencrypted,
but by that point the law enforcement in the sender's home country would no longer be able
to intercept it.) Another techie pointed out that Google had long been complying with many foreign
governments' requests for user data, as documented on their Transparency Project page, and said
that should be taken into account before recommending for anyone to use Google products in a hostile country.

But if you look at the
Transparency Project chart
for user data requests, it looks like Google
does not regularly hand out user data to regimes that are major human rights violators (the only two such
countries appearing
on the list are Russia and Turkey, and Google has apparently complied with exactly 0% of their requests).
I'm not a fan of everything that every other country on that list has done, but they're mostly democratic
nations that are probably not abusing the data request process as much as, say, Venezuela would.

So even without specific assurances from Google, I still think that Gmail is safer than
PGP for the purpose of sending an encrypted message out of a hostile country without attracting attention
to yourself. Remember, if you send a message to someone encrypted with PGP, and a third party intercepts
the message, the interceptor can still see that the encrypted portion is bookended with the words "BEGIN PGP ENCRYPTED
MESSAGE" and "END PGP ENCRYPTED MESSAGE" — so even if they can't tell what you said, they
still know that you went out of your way to send an encrypted email.
(Similarly, if you're using Tor, an eavesdropper can't tell what
you did over your encrypted Tor connection, but they could still detect that you're using Tor, either
by studying the traffic patterns or by keeping a list of known Tor servers and watching to see if
you connect to one of them.) By contrast, everyone who connects to Gmail, connects automatically over
an encrypted https:// connection, so an eavesdropper would not detect anything unusual about your usage
of Gmail that might tip them off that you were trying to hide something. Gmail is the safest of the major mail
providers in this regard; Hotmail serves your messages over an encrypted connection only if you opt in to that feature,
and Yahoo Mail doesn't provide that option at all. So it's precisely because Gmail is an almost-perfect
secure communications solution, that I'd really like to be able to trust it even more, by getting a clearer
statement from Google about when exactly it would turn over a subscriber's identity to a government.

Google
seems like they're trying to do the right thing in response to demands
from foreign countries with less-than-stellar human rights records.
With regard to user data requests,
Google must be following some internal
rule, and the right thing to do would be to tell us what the rule is.

Nevertheless, Google is pioneer on transparency reporting, no other company had gone such extremes to publicize this kind of info. This should always be mentioned when criticizing their Google Transparency Report system. I didn't read the treaty above, but skimmed and saw nothing of sort.

yep. Leading the way as usual. It's not like you'll ever hear of this from any other large technology focused companies - that's for certain. Whether it's manufacturers or software developers or any other aspect of technology, all you get is a general lack of transparency.

Americans tend to forget they are foreign to the majority of the world. From a UK perspective the "local laws" of the US appear very different, a country that executes their citizens, prosecutes people who cross the road without state help and allows people to carry firearms with minimal checks. Yes, I'm sure that the UK has some equally strange laws when seen from the outside, but my point is that US law isn't "international law", but far from it. The closest any one country comes to that is Scottish law (different to UK law), and even that varies wildly. I'd assume that Google follows the local law of whichever country it's operating in at the time (which may or may not include other legal codes, eg European legislation in EU countries), so we'll probably see wild variations in how they respond.

I know, random examples and you don't really mean aything by it, but I felt I had to expand / defend. I totally agree with you in that "US Law" is not the same thing as "international law" and I do find it disgusting that our government tries to enforce it outside our borders and such.

1: Executing citizens: very controversial and is not legal in many states. Is hardly used at a whim, and when it is used there is strong deliberation in the court whether to use it or go with something like life imprisonment. Again, this is only used against people like murderers.2: Jaywalking: makes sense in a place like new york, where people randomly crossing the street is not only dangerious but fucks up traffic. Most places people look before they cross and are curtious enough to not interrupt traffic, but at such high populations we can't rely on people being nice. Enforcement of this outside of major population centers is practically non-existant.3: We've had a bloody birth. The lack of checks is because of paranoia that the government can use the collected data to take them away from us. These guns are one of the few things keeping our government from outright fucking us all. Sure, there are some vocal nuts who make it seem like we just like guns, but that's not how it really is.

With reference to point 3, do Americans honestly believe that an armed overthrow of the government is possible? Let's presume the US government does actually overstep the boundaries by (for example) instructing the military to open fire on a peaceful protest and there's a mass uprising - you'd have the military in an odd situation where they have to decide whether they work for the people or the government, if it's the latter then you have millions of people with pistols and rifles facing A-10s and tanks.

We're supposed to have both. The right to bear arms came around back in the days where there was no difference between the gear the armed forces had and that which was available to the citizens. The gap has been getting wider yes, but wouldn't it be better to try, than to just give up?

Oh, absolutely, but if you're going to legislate to protect the people from a rogue government I just think there's better ways to do it than giving the public peashooters. As somebody on here says in their sig, "Soap box, ballot box, ammo box, in that order" - except I can't help but think the last one is pretty futile if the military are sworn to follow the government no matter what.

Well between those very same sort pea shoots and IEDs the various groups in Afghanistan have kept our so powerful military bogged down for ten years.

No I don't think it would be possible to organize civilians with typical consumer fire arms and lead a siege of Washington that is opposed by the military. I do think the guns being out there make our government a bit concerned that riots might be uncontrollable and stops them from doing anything to unpopular.

So if the military side with the government they'll be swamped in a asymmetric campaign against "the terrorists". If there are enough "terrorists" and/or enough "terrorist sympathisers" who refuse to pay taxes then the army will be defeated by withdrawing their funding. If there aren't enough then there will be something on a spectrum from "local uprisings" to full blown civil war. You've essentially got the same situation as Syria is currently

That's good idea, lets amend the Constitution to give the president 60 days to use the armed forces. That way an immediate response can be made if we are attacked or there is some other crisis. After that rather than Congress authorizing war, lets make it a popular vote.

We're supposed to have both. The right to bear arms came around back in the days where there was no difference between the gear the armed forces had and that which was available to the citizens. The gap has been getting wider yes, but wouldn't it be better to try, than to just give up?

Well, the reason for the 2nd amendment was because of what the British armies were doing to the colonies. Think entering homes and killing and all sorts of other things. Hence the right to bear arms was meant to be able to rep

You need to read more of the writings of Thomas Jefferson. Much of what he wrote about government vs. the governed is EXACTLY what the right to bear arms centered around. It's about the right of the people to defend themselves from any oppressor, foreign or domestic. This specifically includes the government.

As long as the number of gun owners is more than 50 times the number of soldiers, high tech weapons dont matter. Remember almost half the households have guns, and the guns are spread out all across the country.

As long as the number of gun owners is more than 50 times the number of soldiers, high tech weapons dont matter. Remember almost half the households have guns, and the guns are spread out all across the country.

You also have to keep in mind that soldiers are not automata. If citizens have sufficient ability to resist and if there are enough resisting that it's necessary to deploy military forces to stop them, then many of the soldiers will be at least somewhat on the side of the resisters, and many more will be unwilling to fire on their countrymen.

As for what guerrilla forces who can hide among the populace and engage in hit-and-run tactics can achieve, even with vastly inferior weapons, see history.

Yeah, I was all with him until he got to #3. Here's my version of the third point:

America has a whole lot of rural areas where fathers teach their sons to hunt. This is something that is passed down, generation from generation, since in a lot of cases one of their ancestors settled in the area and hunted to stay alive. Not only is this so ingrained in our culture that it's not going to go anywhere anytime soon, it's also necessary because with the currently low proportion of predators to deer, deer are so o

well, that's the thing - if they really did so then turkish requests for records of turkish activities done in turkey would go through(obviously it's legal for them to demand such info from google, even if they haven't made it illegal enough for google to not comply - afaik google isn't banned & fined in turkey).

if they did adhere to local law always then they would be helping iranian authorities to eavesdrop, they would be helping isrealis tap on palestenian communications and so forth- though it seems

It's a good question; Is an unjust law still a valid law? I think we can agree in some broad sense that local statutes which violate human rights are unjust. Now the trick is to agree on "Human Rights" (see the UN's work in this regard for a culturally agnostic version) and on whether it is ok to violate unjust laws... Personally, I think so.

At the bottom of the article/summary, it notes that just encryption is not good enough against a real enemy (and not the made up ones by the tin foil hat crowd in the west) who will just beat your encryption key out of you. For a WW2 reference, you can have the most fancy code for your radio message but if the nazi's found you is possession of a radio, whether the message was encrypted or not, harmless or not, did not matter. No broadcasting!

Same in North Korea, hard to send any message out if you don't have a computer and the few computers that do have access are completely monitored. In Iran, all ISP's are state owned and controlled and so any signal that doesn't signal 100% innocent WILL be investigated and they won't take your word for it that you lost your key for PGP either.

It is what makes "darknet" programs such silly little kiddy toys. They only work in the west where your ISP doesn't give a shit what traffic goes over which port. But if a government wants to monitor all traffic, all they got to do is filter out any traffic that doesn't fit pre-determined patterns. How would you disguise encrypted traffic to non-standard destinations? Back to radio, the fact that you are sending a signal is what alert the authorities, not the signal being received. Connect to some Tor node and that itself will be cause for investigation. And no, they don't need to have a list for all Tor node, they just need a list of "legit" destinations and then notice that yours isn't on that list.

No freedom sucks, it isn't that visiting "154.32.55.32" is illegal, it is that visiting anything but yahoo.com is illegal.

That is why ordinary film rolls are still used to get information out of North Korea with flesh and blood messengers. Sure, it is possible to use a cellphone near the border... but just the receiving of such a cellphone, just having an adapter to charge it, is a crime. And they don't need evidence.

Thank [insert object of worship] that 99% of us never have to deal with true repression. Real repression is your finger nails being torn out because someone near you at one point might have done something someone didn't like and you don't even have a clue and nobody cares.

Fiddle around with your PGP and Tor all you want, it only works because in the west, because the state operates under rules which don't allow them to simply let you disappear because they thought you might have done something someone didn't like.

Activist/user-controlled decentralised ad-hoc wifi networks that sidesteps ISPs to relay information across borders may be an option but the broadcast signals of such a network will quickly give it away if someone looks for wifi activity. Yeah, film rolls or memory cards hidden way up the a** probably offer better bandwith and stealth...

The question doesn't matter. The new bill *requires* the ISPs and websites like google turn-over customer data and web history to the Dept. of Homeland Insecurity (you feel insecure because you never know when they will harass you). Even if google wanted to turn down a request, they cannot.

Just beacuse there's tyranny and oppression in other parts of the world does not mean that there isn't tyranny and oppression in the U.S., or that the U.S. is not headed in that direction.

And, if indeed there is tyranny and oppression in the U.S., then there's even less of a moral standing to point to tyranny and oppression in other countries. I think the saying is: If your house isn't perfect, you've no business telling others how to fix theirs (or the in case of the U.S., "fixing" it for them).

Derailing....."But what about democratic countries like Canada and Germany, which nonetheless have anti-hate-speech laws that are inconsistent with American free speech guarantees?"
What exactly are these free speech guarantees you speak of? It almost seems like you are implying that the US has free speech with zero or no restrictions???

Google has entire legal departments devoted to making these decisions on a case by case basis.

In order to do business in a jurisdiction, a business must agree to abide by their laws. Google cannot stat outright that they will not obey legal requests, or they would not be allowed to operate. They have lawyers to decide when they can get away with not complying, when they can obfuscate, when they can delay, and when they should capitulate.